Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:31
Static task
static1
Behavioral task
behavioral1
Sample
3797c9c2f8a09b948b72ae0267496e93.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
3797c9c2f8a09b948b72ae0267496e93.dll
Resource
win10v2004-20220414-en
General
-
Target
3797c9c2f8a09b948b72ae0267496e93.dll
-
Size
5.0MB
-
MD5
3797c9c2f8a09b948b72ae0267496e93
-
SHA1
31becf765d42b6392738268dd2306b65e65c7ba1
-
SHA256
84ac0e73d6980f73c61d410013af7fd3615ab730df2168b48a3323ae98c173d3
-
SHA512
9629ce17170e29250ee9bd969264c49407dea271cf68228706b97f1b701b29d76b41637e42f5e938c935bdf33b4ae1c3067b2bcbb090f91f2eff1c43ce10079b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1270) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1148 mssecsvc.exe 1952 mssecsvc.exe 1500 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 892 wrote to memory of 1816 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 1816 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 1816 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 1816 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 1816 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 1816 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 1816 892 rundll32.exe rundll32.exe PID 1816 wrote to memory of 1148 1816 rundll32.exe mssecsvc.exe PID 1816 wrote to memory of 1148 1816 rundll32.exe mssecsvc.exe PID 1816 wrote to memory of 1148 1816 rundll32.exe mssecsvc.exe PID 1816 wrote to memory of 1148 1816 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3797c9c2f8a09b948b72ae0267496e93.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3797c9c2f8a09b948b72ae0267496e93.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1148 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1500
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD57582a999f122d2e63122bad5040b8f5b
SHA146e377b43cce1328be1ffa3cb5c92336c90e1bbc
SHA256f196e67bab40d917830bbffb3347826c23305d97b2b1311160923a4803e7074a
SHA5126fd93b69b5d2a0d39f8858f303aad7afd2445d66bb5716e0b9195c53964d68195e508bfc5047ab528aac8b54ac8c96cec6f6f23c86344af827931db9436524fa
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57582a999f122d2e63122bad5040b8f5b
SHA146e377b43cce1328be1ffa3cb5c92336c90e1bbc
SHA256f196e67bab40d917830bbffb3347826c23305d97b2b1311160923a4803e7074a
SHA5126fd93b69b5d2a0d39f8858f303aad7afd2445d66bb5716e0b9195c53964d68195e508bfc5047ab528aac8b54ac8c96cec6f6f23c86344af827931db9436524fa
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57582a999f122d2e63122bad5040b8f5b
SHA146e377b43cce1328be1ffa3cb5c92336c90e1bbc
SHA256f196e67bab40d917830bbffb3347826c23305d97b2b1311160923a4803e7074a
SHA5126fd93b69b5d2a0d39f8858f303aad7afd2445d66bb5716e0b9195c53964d68195e508bfc5047ab528aac8b54ac8c96cec6f6f23c86344af827931db9436524fa
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD56637b0761727686d36acfca7337f2c9c
SHA16c3e0d9b765f666fba867d7c4c253c29216e5e01
SHA2567052c1b6734eeb8dd715c1ee9148e6b32c805f0ddbce2fd4423e39c92d6870d6
SHA5128a51e4cbd8f985716b00851b0d8306fa2b7079a5f42ad611f89b817841000fb0795120840461a4c3f32485f4a59258a412caa3111acd9bf17814bc67b6b9cfa4
-
memory/1148-56-0x0000000000000000-mapping.dmp
-
memory/1816-54-0x0000000000000000-mapping.dmp
-
memory/1816-55-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB